Comment

Comment on Lawsuit Alleges That WhatsApp Has No End-to-End Encryption

Tox also isn’t that great security wise. It’s hard to beat Signal when it comes to security messengers. And Signal is open source so

source

Sort:hotnew top

REDACTED@infosec.pub ⁨2⁩ ⁨weeks⁩ ago
Well, Whatsapp uses signal. Bad timing

source
- qyron@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago
  How?
  
  source
  - Appoxo@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago
    Unless proof is given, assume troll
    
    source
    REDACTED@infosec.pub ⁨2⁩ ⁨weeks⁩ ago
    Read the article? An app using signal does not imply that your data is still encrypted from corporations or government. Your neighbour joe is not very likely to break already established SSL, so using signal feels like someone is trying to sell me a bridge. Sense of false security.
    
    source
  - HereIAm@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    WhatsApp is using Signals protocol for communication: signal.org/blog/whatsapp-complete/
    
    I don’t fully understand what it entails, but from what I understand is that yes, WhatsApp is using the same encryption and message flow that signal uses, but you’re still using Meta’s app, and they can just read the plaintext message from there.
    
    source
    qyron@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago
    To my knowledge, under Signal, the encription keys are locally generated and stored, and the traffic flows between end points as a closed packet.
    
    This does not seem to be the case here, as the keys are generated and stored outside your equipment and, thus, are viable to be used by a third party to access packets.
    
    But I admit I speak heavily burdened by technical ignorance.
    
    source
    -> View More Comments
    Candice_the_elephant@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Or they can make a copy of the encryption keys on creation. Using the code is very different than using the code unedited, or using all the code.
    
    source
  - REDACTED@infosec.pub ⁨2⁩ ⁨weeks⁩ ago
    Read more than just the title ffs
    
    source
    qyron@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago
    I did and nowhere is Signal mentioned in the article.
    
    You state Whatsapp uses Signal. So, again: how?
    
    source
    -> View More Comments
- Candice_the_elephant@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  It only uses some of signal’s code. Not necessarily the OOTB key storage and security.
  
  source
Tanoh@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

And Signal is open source so, if it did anything weird with private keys, everyone would know

Well, no. At least not by default as you are running a compiled version of it. Someone could inject code you don’t know anything about before compilation that for example leaked your keys.

One way to be more confident no one has, would be to have predictable builds that you can recreate and then compare the file fingerprints. But I do not think that is possible, at least on android, as google holds they signature keys to apps.

source
- pressanykeynow@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Signal has reproducible builds and here’s the instruction how to check it on Android github.com/signalapp/Signal-Android/…/README.md
  
  source
  - Tanoh@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    If they have, then good. Wasn’t sure it was doable with current google’s signing process. Highly unlikely someone hasn’t tampered with them then (far easier to target the site displaying the “correct” fingerprint).
    
    However, my original point still stands. Just because it is open source doesn’t in itself mean that a bad actor can’t tamper with it.
    
    source
- MaggiWuerze@feddit.org ⁨2⁩ ⁨weeks⁩ ago
  Signal is also on F-Droid, so it should Bd verifiable
  
  source